Windows 7 - Promiscuos mode in wifi adapter

Asked By Arsalan Ahmad on 20-Nov-07 12:39 PM
Hello all,

Is it possible for a wifi card in windows to listen to a channel and how one
can retrieve all the packets listened in an application using NdisProt
driver or something else? Any hint...

Thanks,

Arsalan




Gianluca Varenni replied on 20-Nov-07 05:28 PM
You can capture all the packets sent/transmitted by your machine on a
wireless card, but on pre-vista OSes what you will capture is "fake"
ethernet packets (i.e. the 802.11 packets are transformed into 802.3
packets). This is how wireless cards work on pre-vista OSes. You won't be
able to capture management and control frames, only data frames, basically.
As to promiscuous mode, some (few) wireless network card drivers support
this mode.

Under Vista, things get more complicated (it basically depends on whether
the card has a native wifi driver or an old-style driver).

I suggest you to try installing WinPcap + Wireshark and see what you can
capture.

Have a nice day
GV

--
Gianluca Varenni, Windows DDK MVP

CACE Technologies
http://www.cacetech.com
Stephan Wolf [MVP] replied on 22-Nov-07 02:53 AM
Agreed. Pre-Vista Windows treats WLAN much as Ethernet from a protocol
perspective. That is, the WLAN NDIS miniport driver pretends to
support Ethernet (NdisMedium802_3) as its medium. See the description
on OID_GEN_MEDIA_SUPPORTED for details. Note that the same driver will
have NdisPhysicalMediumWirelessLan as its OID_GEN_PHYSICAL_MEDIUM.

WLAN miniports usually do not support promiscuous mode the way you
would expect (if they support it at all).

Tools like AiroPeek/OmniPeek etc. use special WLAN miniports that
support some kind of "raw" promiscuous mode. These drivers are AFAIK
not MS certified.

One solution would be to look out for a WLAN card that is supported
under Linux and run WireShark there. I have seen people running
Windows on their host and Linux as a virtual machine guest (VMware).
Then use a physical USB WLAN card, which can be accessed by Linux in
the VM directly, and then run WireShark.

Vista should be an option, too.

HTH, Stephan
---
On Nov 20, 11:28 pm, "Gianluca Varenni"
Gianluca Varenni replied on 21-Nov-07 02:59 PM
Not really. As far as I've seen, several wireless cards with native wifi
drivers still provide "cooked" 802.11 frames. E.g. they transform DATA+QoS
packets into DATA packets (DATA+QoS packets are pretty common with 802.11n
APs).

Hope if helps
GV